Method for cryptographically processing a message, method for generating a cryptographically processed message, method for performing a cryptographic operation on a message, computer system, client computer, server computer and computer program elements

ABSTRACT

A method for cryptographically processing a message is disclosed, wherein a first partial cryptographic key and a second partial cryptographic key, which correspond to a decomposition of a private cryptographic key, are used, the message is processed using the first partial cryptographic key resulting in a first partially processed message, the message is processed using the second partial cryptographic key resulting in a second partially processed message and the first partially processed message and the second partially processed message are combined resulting in a cryptographically processed message.

Method for cryptographically processing a message, method for generatinga cryptographically processed message, method for performing acryptographic operation on a message, computer system, client computer,server computer and computer program elements

The invention relates to a method for cryptographically processing amessage, a method for generating a cryptographically processed message,a method for performing a cryptographic operation on a message, acomputer system, a client computer, a server computer and computerprogram elements.

The number of people using computer networks for data transfers,particularly the Internet, has significantly increased in the lastyears.

Some of the data transferred using a computer network or stored in acomputer network is often secret, e.g. it should not be read or changedby people who are not privileged to do so.

Therefore, information (or data) security solutions and network securitysolutions, i.e. methods for guaranteeing security of computer networks,for example for preventing that non-authorized people access thecomputer network and/or the data transferred in the computer network,are of major importance.

Existing information security solutions and network security solutionsare barely keeping pace with the sophistication of attack methodologies.Most of the network security products on the market fall into twocategories:

-   Products for the prevention of attacks at the boundary between two    computer networks (for example firewalls)-   Products for the detection of an attack after the attack has    happened (for example intrusion detection systems).

Firewalls are designed to protect computer systems in a computer networkfrom hackers who attack from outside the computer network, but not frommalicious insiders, i.e., from people who access the computer networkfrom the inside, e.g. by a computer system which is part of the computernetwork. Firewalls concentrate security at one port, aggravating thesingle point of failure phenomenon. Intrusion detection systems can onlydetect an attack after the damage has been done. Hackers normally workfaster to come out with new attack methodologies to avoid beingdetected.

Application server computers which make use of public key cryptographic(PKC) systems for securing data transfers are playing an increasinglyimportant role in the Internet, for example in electronic commerce. Suchapplication server computers are for example web server computers thatserve Internet client computers, like a web server computer hosting theweb site of a bank and transferring the state of an account of a user toan Internet client computer used by that user.

Most of the web server computers use the SSL (Secure sockets layer)protocol to protect the communications with the client computers, i.e.,to guarantee secure data transfers. The SSL protocol employs PKC and isthe de-facto security protocol for web security. Security of PKC basedapplication server computers depends on the secrecy of the private keyof the PKC. If the private key is compromised, the entire system iscompromised and the consequence is that the transfer of data which isencrypted based on the private key and its corresponding public key isno longer secure.

An application server computer used by an enterprise, such as a webserver computer which hosts a web page of the enterprise, has typicallyto be placed outside the firewall of the enterprise's computer network,i.e., in a publicly accessible computer network separated from theenterprise's computer network by the firewall, such that web clientcomputers are able to access the web server computer.

In particular, the web server computer is not protected by the firewall.This makes the web server computer vulnerable to attacks. If the webserver computer carries a private key which is used for secure datatransfer by an underlying PKC, the web server computer becomes avulnerable point of failure. In [1], the RSA algorithm, which is themost popular PKC algorithm, is described.

An object of the invention is to prevent the security problems whicharise when a private key is stored on a computer which is vulnerable toattacks.

The object is achieved by a method for cryptographically processing amessage, a method for generating a cryptographically processed message,a method for performing a cryptographic operation on a message, acomputer system, a client computer, a server computer and computerprogram elements with the features according to the independent claims.

A method for cryptographically processing a message is provided, whereina first partial cryptographic key and a second partial cryptographickey, which correspond to a decomposition of a private cryptographic key,are used; the message is processed using the first partial cryptographickey resulting in a first partially processed message; the message isprocessed using the second partial cryptographic key resulting in asecond partially processed message; and the first partially processedmessage and the second partially processed message are combinedresulting in a cryptographically processed message.

Further, a method for generating a cryptographically processed message,a method for performing a cryptographic operation on a message, acomputer system, a client computer, a server computer and computerprogram elements according to the method for cryptographicallyprocessing a message described above are provided.

Illustratively, a method for protecting a private key (e.g. a RSA key)by splitting the private key into multiple key parts is provided.Partial operations corresponding to the multiple key parts are performedseparately and the results are later combined. Thus, it is possible thatthe partial operations are carried out on separate computers and inparticular, that on each computer only a key part—not the completeprivate key—has to be stored.

The private cryptographic key is at least decomposed into two partialcryptographic keys. To achieve even more security, however, the privatecryptographic key can be decomposed into a multiplicity of partialcryptographic keys which are stored on different key server computers.Accordingly, each of the multiplicity of key server computers canperform a partial operation using the partial cryptographic key storedin the key server computer and send the result to some server computerwhich combines the results.

For example, the key parts are stored in an application server computerand in one or more key server computers. In one embodiment, the keyserver computers each carry out a partial private key cryptographicoperation, e.g. compute a partial signature or a partial decryption, andsend the results to the application server computer which assembles theresults to form the result of the complete private key cryptographicoperation, e.g. the complete signature or decryption. Alternatively, theapplication server computer computes a partial signature or a partialdecryption itself and combines it with the results from the key servercomputers.

The procedure is for example controlled by an administrator managing thekey parts on different key server computers and application servercomputers and who creates key-pairs (consisting each of a private keyand a public key) and managing them during their entire life-time. Inone embodiment, an efficient mechanism for refreshing the key parts anda mechanism for splitting a RSA private exponent, such that efficientcomputation is achieved, is used. These two mechanisms can also becontrolled by an administrator. Further, load balancing techniques canbe used such that the cryptographical operations can be distributed tothe key server computers. In existing prior art, a private key of anapplication server computer has to be duplicated on all load balancingserver computers or all the load balancing server computers share acommon private key. (A -load balancing server computer is in this case acomputer performing cryptographic operations for the application servercomputer based on the private key, i.e., “helping” the applicationserver computer at performing cryptographic operations.) However, thismakes the private key more vulnerable to attacks since each of the loadbalancing server computers might be subject to an attack. The methodaccording to the invention provides much better security and scalabilityat the same time. By splitting the private key in different ways andsharing the private key parts with different key server computers, thesecurity of the system is not compromised if some of the key servercomputers fail or are successfully attacked.

For example, a private key is split in a first and a second part and thefirst part is stored in a publicly accessible application servercomputer and the second part is stored in a key server computer. If anattacker succeeds in getting the first part, he still needs tocompromise the key server computer to obtain the second part. Since thefirst part and the second part are preferably regularly refreshed, itwill be difficult for the attacker to obtain both parts unless theapplication server computer and the key server computer are compromisedat around the same time.

Illustratively, instead of just preventing or simply detecting attacks,according to the invention, e-immunity is built into a computer systemso that the computer system is tolerant to intrusions and attacks—it canmaintain the overall system security even when individual components arerepeatedly broken into and controlled by an attacker.

Preferred embodiments of the invention are given by the dependentclaims. The embodiments which are described in the context of the methodfor cryptographically processing a message are analogously valid for themethod for generating a cryptographically processed message, the methodfor performing a cryptographic operation on a message, the computersystem, the client computer, the server computer and the computerprogram elements.

It is preferred that the processing of the message using the firstpartial cryptographic key is carried out by a first computer and theprocessing of the message using the second partial cryptographic key iscarried out by a second computer.

Preferably, the first and the second computer are coupled via a computernetwork.

For example, the first computer is located in a publicly accessiblecomputer network and the second computer is located in a secure computernetwork coupled to the publicly accessible computer network.

It is further preferred that the method further comprises the step oftransmitting the message from the first computer to the second computer.

It is further preferred that the first partial cryptographic key and thesecond partial cryptographic key correspond to a decomposition of theprivate cryptographic key into a plurality of partial cryptographickeys.

Preferably, the plurality of partial cryptographic keys give, whensummed, the private cryptographic key.

In other words, this means that the private cryptographic key isdecomposed into a sum of partial cryptographic keys.

It is further preferred that the cryptographical processing of themessage is the signing of the message or the decrypting of a message.

It is preferred that the message is processed according to a public keycryptographic algorithm.

In a public key cryptographic algorithm, there exists a publiccryptographic key for decrypting a message and a private cryptographickey for decrypting (signing) a message. Typically, before a secretmessage is sent, a pair consisting of a private cryptographic key and apublic cryptographic key are generated. The private cryptographic keyand the public cryptographic key are for example large integers (e.g.with more than 100 binary digits). The message is encrypted using thepublic cryptographic key and is then sent to a receiver. The receivercan decrypt the message using the private key. Since the message canonly be decrypted using the private key and the private key is keptsecret by the receiver, the message can not be decrypted by someunauthorized person.

Preferably, the public key cryptographic algorithm is the RSA algorithm.

The invention can also be applied to other cryptographic methods thanRSA, for example to other assymetric cryptographic methods, keygenerating algorithms or other signing methods. In general, theinvention can be used with every algorithm were the result (for examplethe decrypted or signed message) is given by some function f whichfulfils f(x+y)=f(x)f(y) were x and y are cryptographic key parts. Forexample, cryptographic methods which are based on the discrete logarithmsatisfy this prerequisite.

It is further preferred that at selected times and after or before themessage is processed, a refreshed decomposition is determined.

Preferably, the refreshed decomposition is determined by decomposing thefirst partial cryptographic key and the second partial cryptographic keyand combining these decompositions to form a decomposition of theprivate cryptographic key.

Illustrative embodiments of the invention are explained below withreference to the drawings, wherein:

FIG. 1 shows a computer system according to an embodiment of theinvention.

FIG. 2 shows a flow diagram according to an embodiment of the invention.

FIG. 3. shows a private key, a first private key part and a secondprivate key part according to an embodiment of the invention.

FIG. 4 shows a flow diagram according to an embodiment of the invention.

FIG. 1 shows a computer system 100 according to an embodiment of theinvention.

The computer system 100 comprises an application server computer 101,which resides in a DMZ 102. The DMZ 102 (demilitarised zone) is asubnetwork that is located between a secure subnet 103 and a publicnetwork 104 which is publicly accessible.

The secure subnet 103 is e.g. a corporate private LAN (local areanetwork), the public network 104 is e.g. the Internet.

A client computer 105 resides in the public network 104 which is coupledto the application server computer 101.

Some web application runs on the application server computer 101 and theapplication server computer 101 serves the client computer 105 accordingto the web application. For example, the application server computer 101hosts the web side of the enterprise which owns the secure subnet 103.

The secure subnet 103 comprises a first key server computer 107 and asecond key server computer 108 and an administrator 109, i.e., acomputer system used by an administrator of the secure subnet 103.

The secure subnet 103 is protected at the boundary to the DMZ 102 by afirewall computer 106.

The application server computer 101 is responsible for the processing ofsecure operations, e.g. SSL (secure socket layer) authentication of theclient computer 105, decryption of encrypted data sent from the clientcomputer 105 to the application server computer 101 and signing messagessent by the application server computer 101 to the client computer 105.

In the following, the process of a secure communication between theapplication server computer 101 and the client computer 105, inparticular the process of decrypting a message sent to the applicationserver computer and encrypted by the client computer 105 and the processof signing a message sent from the application server computer 101 tothe client computer 105 according to an embodiment of the invention isexplained.

FIG. 2 shows a flow diagram 200 according to an embodiment of theinvention.

In the embodiment of the invention now described with reference to FIG.1 and FIG. 2, the RSA algorithm, for example described in [1], is used.The following denotations are used:

-   -   N: modulus, product of two large prime numbers p and q, i.e.        N=p*q  (1)    -   e: Public exponent    -   d: Secret exponent, which satisfies        ed=1 modΦ(N)  (2)        where        Φ(N)=(p−1)(q−1)  (3)    -   M: Message (to be encrypted)    -   C: Cipher text    -   D: Cryptographic digest of message M

To encrypt a message M, i.e. to form a cipher text C according to themessage M, C is computed according toC=M^(e) mod N  (4)

Thereby, it is assumed that the message M has the form of an integer,which is smaller than N. Large messages are broken up into smallermessages, such that the smaller messages can each be expressed asintegers smaller than N.

To decrypt the cipher text C, i.e. to reconstruct the message M from thecipher text C, one calculatesM=C^(d) mod N  (5)To sign a message M, one calculatesD^(d) mod N  (6)

D is computed from M by some hashing algorithm. For example, D can begenerated using MD2, MD4, MD5, the SHA-0 (Secure Hash Algorithm) or theSHA-1.

In step 201, the administrator 109 determines a public key (e, N) and acorresponding private key (d, N) for use with the RSA algorithm.

The administrator can generate the key-pair. Alternatively, the key-pairmight already exist and the administrator just splits the alreadyexisting key. This should also be reflected in FIG. 2.

The public key can be made known to users in the public network 104 by acertificate, which is digitally signed by a corresponding certificateauthority. The administrator 109 creates the public key and the privatekey using standard key generation techniques.

In step 202 the number d is split into a number of shares according tod=d₁+d₂+d₃+. . . +d₁  (7)

Wherein d₁, d₂, d₃, . . . ,d₁(1 integer) are the parts of d, which is inthe following referred to as the private key (although, to be exact, theprivate key is made up of d and N).

Each share can be stored on a different key server computer 107, 108(accordingly, the secure subnet 103 can comprise a multiplicity of keyserver computers). In this embodiment, it is assumed that d is splitinto two parts according to some decomposition, i.e.,d=d_(11+d) ₂₁  (8)or (according to another decomposition)d=d₁₂+d₂₂  (9)Generally, this is written asd=d_(1i)+d_(2i)  (10)in which d_(1i) and d_(2i) are selected random integers. d_(1i) is thenassigned to the application server computer, i.e., is stored on theapplication server computer and d_(2i) is stored on the key servercomputer 107, 108. Preferably, d_(2i) (which corresponds to adecomposition which is assigned the number i) is stored on the i^(th)key server computer, i.e., one of the key server computers 107, 108which is assigned the number i. In this embodiment, it is assumed thatd_(2i) is stored on the first key server computer 107.

It is assumed that in step 203 a cipher text has to be decrypted or amessage digest has to be signed. First, it is explained how a ciphertext is decrypted according to this embodiment.

The cipher text, which is denoted by C, is generated from a message M byusing the public key generated in step 201. The cipher text C is e.g.sent to the application server computer 101 by the client computer 105.For example, the client computer 105 used the public key generated instep 201 to encrypt a message to create the cipher text C.

According to the message M, C is assumed to be an integer generatedaccording to equation (4).

To decrypt the cipher text C, the application server computer 101 instep 204 first computesC^(d)1i mod N  (11)

Then, the application server computer 101 passes C to the first keyserver computer 107, which is assumed as mentioned above to hold theshare d_(2i) of the private key.

In step 205, the first key server computer 107 computesC^(d)2i mod N  (12)and sends the result to the application server computer 101. Using theresults of the calculations according to formulas (11) and (12) theapplication server computer 101 computesC ^(d)1i*C ^(d)2i mod N=C ^((d)1i ^(+d)2i) mod N=C ^(d) mod N=M  (13)in step 206.7

Thus, the cipher text C is decrypted and the message M is reconstructed.

The application server computer 101 might calculate its partialdecryption according to equation (11) at the same time as the first keyserver computer 107. It can pass the cipher text to the first key servercomputer 107 and while the first key server computer 107 is computingits partial decryption according to equation (12), the applicationserver 101 creates its partial decryption at the same time.

Now, the process for signing a message digest D is explained.

The message digest D is e.g. generated by the application servercomputer 101 from the message M, which has to be sent from theapplication server computer 101 to the client computer 105, by using ahash function.

In step 207 the application server computer 101 calculates a partialsignature according toD^(d)1i mod N  (14)

Then, the application server computer 101 sends D to the first keyserver computer 107. In step 208, the first key server computer 107computesD^(d)2i mod N  (15)and sends the result to the application server computer 101.

As above, the application server 101 might calculate its partialsignature according to equation (14) at the same time as the first keyserver computer 107. It can pass D to the first key server computer 107and while the first key server computer 107 is computing its partialsignature according to equation (15), the application server 101 createsits partial decryption at the same time.

Analogously to formula (13) the application server computer 101 computesin step 209 the signature according toD ^(d)1i*D ^(d)2i mod N=D ^((d)1i ^(+d)2i) mod N=D ^(d) mod N  (16)So, the application server computer 101 does not perform the securityfunctions all by itself, but cooperates with the key server computers107, 108, in this example with the first key server computer 107, forperforming security operations, such as decryption or signing.

The key server computers 107, 108 are located inside the secure subnet103 and are well protected-by the firewall computer 106. As mentioned,the private key shares are stored by the key server computers 107, 108to assist any secure function of the application server computer 101 (inthis example the private key share d_(2i) is stored by the first keyserver computer 107).

The administrator 109 is responsible for the generation of private keysand public keys, maintaining the secure configuration and monitoring thestatus. In case of any discrepancies, the administrator 109 can reactaccordingly.

The application server computer 101 is cooperating with the key servercomputers 107, 108 via secure channels, i.e., all data transferred fromthe application server computer 101 to the key server computers 107,108according to the process described above with reference to FIG. 2 istransferred via secure channels. Since the private key d is split intotwo parts d_(1i) and d_(2i), the application server computer 101 has tointeract with the first key server computer 107, i.e. with the one ofkey server computer 107, 108, which holds the part of the private keynot stored in the application server computer 101.

Illustratively, the application server computer 101 performs part of thesecurity functions using its private key part and one of the key servercomputers 107, 108 performs another part of the security functions usingits private key part. The application server computer 101 combines, asdescribed in steps 206 and 209, the two partial results together.According to this embodiment, the private key parts d^(1i) and d^(2i)are never combined to create the complete private key d.

Monitoring the current operation status, the administrator 109 is awareof the whole system security.

In the following, the process for splitting a private key d according toan embodiment of the invention is explained.

FIG. 3 shows a private key 301, denoted by d, a first private key part302, denoted by d₁, and a second private key part 303, denoted by d₂,according to an embodiment of the invention.

Let |Φ(N)| denote the number of bits in Φ(N). Since e is chosen a smallnumber (e.g. 3) and because of equation (2), the number of bits in abinary representation of d is close to |Φ(N)|. |Φ(N)| is the upper boundof the number of bits in a binary representation of d.

As shown above, in a description operation or signing operation, theapplication server computer 101 has to compute x^(d1) mod N, where X isC or D. The application server computer 101 does this by computingX^(2ˆj) mod N, (for j=0, 1, 2, . . . , |(N)|).  (17)

Analogously, the first key server computer 107 has to compute X^(d) 2mod N. It is not efficient, if the first key server computer 107 alsoperforms all computations according to equation (17). Therefore, thefollowing procedure for calculating a first private key part 302 and asecond private key part 303 of the private key 301 such thatd=d ₁ +d ₂  (18)is preferred. First a number i is chosen. Then, the lower i bits of thesecond private key part 303 are set to zero. The higher |Φ(N)|-i bits ofthe second private key part 303 are randomly assigned.

The first private key part 302 is now calculated according tod ₁ =d−d ₂.  (19)

Since at least i digits of the second private key part 303, i.e., of d₂,are zero, much computation time on computing X can be saved, since thecomputations according to equation (17) have only to be performed for atmost |Φ(N)|-i values of j. The computation load of the first key servercomputer 107 can thus be reduced significantly.

After splitting the private key 301, the administrator 109 can store theprivate key 301 in some secure location, e.g. offline, or can delete theprivate key 301, since it is easy to construct the private key 301 fromthe first private key part 302 and second private key part 303.

For ensuring security, according to one embodiment of the invention, thedecomposition of the private key d into two parts is changed at sometimes, referred to as refresh periods.

So, if a hacker succeeds in attacking the application server computer101 and knows the part of the private key d stored in the applicationserver computer 101, the security of the system is only compromised, ifthe hacker also succeeds to get the other part of the private key untilthe next refresh period.

A process for calculating a new composition of a private key is nowexplained with reference to FIG. 4.

FIG. 4 shows a flow diagram 400 according to an embodiment of theinvention.

The processing steps of the flow diagram 400 are carried out by anapplication server computer 401, e.g. the application server computer101, and a key server computer 402, e.g. one of the key server computers107, 108. As above, the application server computer 401 and the keyserver computer 402 communicate via fire wall 403.

Let at the beginning of a refresh period a first private key share 403,denoted by d₁, be stored on the application server computer 401 and asecond private key share 404, denoted by d₂, be stored on the key servercomputer 402. According to equation (18), the first private key share403 and the second private key share 404 form a private key denoted byd, which is used for decryption and signing purposes as described above.

In step 405 the application server computer 401 computes a decompositionof the first private key share 403 according tod ₁ =d ₁₁ +d _(12.)  (20)

Analogously, the key server computer 402 computes in step 406 adecomposition of the second private key share 404 according tod ₂ =d ₂₁ +d _(22.)  (21)

In step 407, the application server computer 401 sends d₁₁ to the keyserver computer 402, which forms a refreshed private key share 408,denoted by d₂′, according tod ₂ ′=d ₂₁ +d _(11.)  (22)

Analogously, in step 409, the key server computer 402 sends d₂₂ to theapplication server computer 401, which forms a refreshed first privatekey share 410, denoted by d₁′, according tod _(1′=d) ₁₂ +d ₂₂  (23)

As mentioned above, there exist of plurality of decompositions of aprivate key d according to equation (10) for a plurality of different i.Preferably, all d_(1i) are stored on the application server computer101, and the respective second private key share d_(2i) is stored on thei^(th) key server computer. The application server computer 101 can nowdepending on the work load of the key server computers 107, 108,distribute the partial decryption or signature operations to differentkey server computers 107, 108. According to the key server computer 107,108, the application server computer 101 distributes the partialoperation to, the application server computer 101 has to use thecorresponding private key share, i.e. the application server computer101 has to use d_(1i) for the partial operation performed by theapplication server computer 101, if a partial operation is distributedto the i^(th) key server computer. As described above with reference toFIG. 2, the application server computer 101 combines the results of thepartial operations.

As earlier indicated, in FIG. 2, it is not always necessary for theadministrator to generate the keys. The principal aim of theadministrator is to split the keys and manage the split keys. Keygeneration can be done by the administrator but not necessary.

In this document, the following publication is cited:

-   -   [1] R. L. Rivest, A. Shamir, and L. M. Adleman, “A method for        obtaining digital signatures and public key cryptosystems”,        Communications of the ACM, Vol. 21, No., 2, Feb. 1978, pp.        120-126

1-19. (canceled)
 20. Method for cryptographically processing a message,wherein—a first partial cryptographic key and a second partialcryptographic key, which correspond to a decomposition of a privatecryptographic key, are used; the message is processed using the firstpartial cryptographic key resulting in a first partially processedmessage; the message is processed using the second partial cryptographickey resulting in a second partially processed message; the firstpartially processed message and the second partially processed messageare combined resulting in a cryptographically processed message, whereinfurther at selected times and after or before the message is processed,a refreshed decomposition is determined and wherein the refresheddecomposition is determined by decomposing the first partialcryptographic key and the second partial cryptographic key and combiningthese decompositions to form a decomposition of the privatecryptographic key.
 21. The method according to claim 20, wherein theprocessing of the message using the first partial cryptographic key iscarried out by a first computer and the processing of the message usingthe second partial cryptographic key is carried out by a secondcomputer.
 22. The method according to claim 21, wherein the first andthe second computer are coupled via a computer network.
 23. The methodaccording to claim 21, wherein the method further comprises the step oftransmitting the message from the first computer to the second computer.24. The method according to claim 20, wherein the first partialcryptographic key and the second partial cryptographic key correspond toa decomposition of the private cryptographic key into a plurality ofpartial cryptographic keys.
 25. The method according to claim 24,wherein the plurality of partial cryptographic keys give, when summed,the private cryptographic key.
 26. The method according to claim 20,wherein the cryptographical processing of the message is the signing ofthe message or the decrypting of a message.
 27. The method according toclaim 20, wherein the message is processed according to a public keycryptographic algorithm.
 28. The method according to claim 27, whereinthe public key cryptographic algorithm is the RSA algorithm. 29.Computer system comprising a first processing unit which is adapted toprocess a message using a first partial cryptographic key, whichcorresponds to a decomposition of a private cryptographic key, resultingin a first partially processed message; a second processing unit whichis adapted to process a message using a second partial cryptographickey, which corresponds to the decomposition of the private cryptographickey, resulting in a second partially processed message; a combining unitwhich is adapted to combine the first partially processed message andthe second partially processed message resulting in a cryptographicallyprocessed message, wherein further at selected times and after or beforethe message is processed, a refreshed decomposition is determined,wherein the refreshed decomposition is determined by decomposing thefirst partial cryptographic key and the second partial cryptographic keyand combining these decompositions to form a decomposition of theprivate cryptographic key.
 30. Method for generating a cryptographicallyprocessed message wherein a message is processed using a first partialcryptographic key, which corresponds to a decomposition of a privatecryptographic key, resulting in a first partially processed message; themessage is transmitted to a client computer; a second partiallyprocessed message is received which is the message processed using asecond partial cryptographic key which corresponds to the decompositionof the private cryptographic key; the first partially processed messageand the second partially processed message are combined to acryptographically processed message, wherein further at selected timesand after or before the message is processed, a refreshed decompositionis determined, wherein the refreshed decomposition is determined bydecomposing the first partial cryptographic key and the second partialcryptographic key and combining these decompositions to form adecomposition of the private cryptographic key.
 31. Server computercomprising a processing unit which is adapted to process a message usinga first partial cryptographic key, which corresponds to a decompositionof a private cryptographic key, resulting in a first partially processedmessage; a transmitting unit which is adapted to send the message to aclient computer; a receiving unit which is adapted to receive a secondpartially processed message which is the message processed using asecond partial cryptographic key which corresponds to the decompositionof the private cryptographic key; a combining unit which is adapted tocombine the first partially processed message and the second partiallyprocessed message to a cryptographically processed message, whereinfurther at selected times and after or before the message is processed,a refreshed decomposition is determined, wherein the refresheddecomposition is determined by decomposing the first partialcryptographic key and the second partial cryptographic key and combiningthese decompositions to form a decomposition of the privatecryptographic key.
 32. Method for performing a cryptographic operationon a message, wherein a message is received; the message is processedusing a partial cryptographic key which corresponds to a decompositionof a private cryptographic key resulting in a partially processedmessage; the partially processed message is transmitted to a servercomputer, wherein further at selected times and after or before themessage is processed, a refreshed decomposition is determined. 33.Client computer comprising a receiving unit which is adapted to receivea message; a processing unit which is adapted to process the messageusing a partial cryptographic key which corresponds to a decompositionof a private cryptographic key resulting in a partially processedmessage; a transmitting unit which is adapted to transmit the partiallyprocessed message to a server computer, wherein further at selectedtimes and after or before the message is processed, a refresheddecomposition is determined.
 34. Computer program element which, whenexecuted by a computer, makes the computer perform the following stepsprocessing a message using a first partial cryptographic key whichcorresponds to a decomposition of a private cryptographic key, resultingin a first partially processed message; processing the message using thesecond partial cryptographic key which corresponds to the decompositionof the private cryptographic key resulting in a second partiallyprocessed message; combining the first partially processed message andthe second partially processed message resulting in a cryptographicallyprocessed message, wherein further at selected times and after or beforethe message is processed, a refreshed decomposition is determined,wherein the refreshed decomposition is determined by decomposing thefirst partial cryptographic key and the second partial cryptographic keyand combining these decompositions to form a decomposition of theprivate cryptographic key.
 35. Computer program element which, whenexecuted by a computer, makes the computer perform the following stepsprocessing a message using a first partial cryptographic key whichcorresponds to a decomposition of a private cryptographic key resultingin a first partially processed message; transmitting the message to aclient computer; receiving a second partially processed message which isthe message processed using a second partial cryptographic key whichcorresponds to the decomposition of the private cryptographic key;combining the first partially processed message and the second partiallyprocessed message to a cryptographically processed message, whereinfurther at selected times and after or before the message is processed,a refreshed decomposition is determined, wherein the refresheddecomposition is determined by decomposing the first partialcryptographic key and the second partial cryptographic key and combiningthese decompositions to form a decomposition of the privatecryptographic key.
 36. Computer program element which, when executed bya computer, makes the computer perform the following steps receiving amessage; processing the message using a partial cryptographic key whichcorresponds to a decomposition of a private cryptographic key resultingin a partially processed message; transmitting the partially processedmessage to a server computer, wherein further at selected times andafter or before the message is processed, a refreshed decomposition isdetermined.